By Aaron Louise Aguilar, Auto Threat Researcher
Imagine plugging in your electric vehicle (EV) at a public charging station, only to find it “bricked” or completely unusable by a simple misconfiguration, leaving you stranded and frustrated. Or picture charge point operators (CPOs) grappling with widespread outages, skyrocketing maintenance costs, and lost revenue as outdated firmware exposes their infrastructure to low-effort attacks.
These scenarios are no longer hypothetical. Security researchers Marcell Szakály and Jan “SP3ZN45” Berens, in their presentation at DEF CON 33, exposed how vulnerabilities in EV charging communication threaten not only technology, but also real-world reliability for both drivers and CPOs.
This blog examines their findings, highlighting their broader implications for the EV charging industry.
One modem chip to "brick" them all
EV charging relies on sophisticated protocols, with the Combined Charging System (CCS) as the most widely used standard in Europe and the US. At the physical layer, CCS uses power line communication (PLC) based on HomePlug GreenPHY (HPGP), a technology that modulates Ethernet frames over existing power lines. This setup enables the vehicle and charger to communicate securely, or so it was thought.
The researchers noted that all the CCS chargers they tested rely on Qualcomm’s QCA7000 or QCA7005 PLC modem chips, many of which still run firmware dating back to 2013. While this hardware uniformity helps maintain interoperability across vendors, it also creates a single point of failure. A vulnerability in one chip can brick or affect the entire EV charging ecosystem.
A misconfiguration nightmare
The Parameter Information Block (PIB), a proprietary binary configuration file stored on the modem, controls essential parameters, including the MAC address, Network Membership Key (NMK), and Signal Level Attenuation Characterization (SLAC) settings. It also includes a security flag at offset 0x1F8C, which determines whether remote read/write operations are allowed over the PLC network.
In their lab setup, the researchers demonstrated how attackers with physical access to a charging cable can exploit this. By emulating an EV, an attacker can join the PLC network and overwrite the PIB, potentially disabling the charger permanently. They refer to this attack technique as “PIBuster.”
Of the 69 CCS connectors the researchers surveyed in California, 41 allowed PIB reads, and all were vulnerable to writes. This means nearly 60% of tested charging stations could be bricked by an attacker, requiring hardware replacement for recovery.
Signal leakage and ground-based attacks
The researchers also discussed emerging physical layer threats. As HPGP operates in the 1 to 30 MHz range, the charging cable emits electromagnetic fields that leak into the surrounding environment. This common-mode radiation enables eavesdropping without any direct physical connection.
A simple wire or induction coil can then capture PLC signals from up to one meter away, allowing passive sniffing of the SLAC handshake, during which the NMK is transmitted in plaintext. Active attacks, such as the Brokenwire attack technique disclosed in 2022, also remain feasible.
The shared ground between the vehicle and charger creates unexpected attack vectors. Connecting to building ground, vehicle wheels, or even nearby Ethernet cabling could allow remote interference. Denial of service (DoS) attacks are trivial, as filling the PLC’s sliding window protocol halts communication, making rogue devices nearly undetectable.
Custom code execution
By dumping and reversing the bootloader, the researchers discovered that the main PLC firmware is compressed rather than encrypted, allowing it to be easily decompressed for analysis. This enabled custom code execution, including a modified version of the game Doom. A similar exploit was pulled off at Pwn2Own Automotive, where researchers ran a playable version of the classic first-person shooter game on an in-vehicle infotainment (IVI) system.
Beyond its creativity, this exploit highlights a wider range of possibilities, including far more serious threats. With code execution, attackers could create custom PLC firmware, bypass protocols, or enhance eavesdropping.
The situation is worsened by the lack of public documentation and the industry’s reliance on non-disclosure agreements (NDAs), a form of “security through obscurity” that fails easily, especially when reverse engineering is straightforward via open-source tools such as open-plc-utils.
Broader industry impacts
The vulnerabilities in EV charging communication, from outdated, uniformly deployed PLC modems to full custom firmware execution, have the following far-reaching industry impacts:
Impacts on CPOs and EV charger manufacturers
- Operational and financial A successful PIBuster attack can brick a charger, forcing hardware replacements that cost hundreds to thousands of dollars per unit. Affected CPOs of vulnerable stations risk network-wide downtime, revenue losses from out-of-service stations, and escalating maintenance expenses. Manufacturers face potential liability for insecure defaults in shipped devices, potentially leading to recalls, warranty claims, and lost market share.
- Security and compliance pressures. PLC modem chips deployed with 2013 firmware remain unpatched for issues such as Brokenwire. This exposes CPOs to vandalism, service disruption, and possible non-compliance with cybersecurity standards such as ISO/SAE 21434. As a result, they must allocate budgets for security audits, firmware updates, and enhanced physical protections, while manufacturers may face fines or bans in regulated regions.
- Scalability Signal leakage and ground-based attacks enable undetectable remote sabotage, complicating scalability for CPOs who may need to retrofit existing infrastructure. This also forces manufacturers to develop more secure hardware designs, risking delays in an already competitive market.
Impacts on car owners
- Reliability and convenience disruptions. Bricked or jammed stations cause unexpected halts, sometimes requiring costly workarounds such as towing or long detours. In underserved areas, these disruptions amplify inconvenience and can discourage long-distance EV use.
- Privacy and safety concerns. Signal leakage during SLAC allows NMKs to be captured in plaintext, enabling eavesdropping on charging data. Ground-based interference via the vehicle chassis enables remote attacks, raising safety concerns in high-voltage environments and privacy concerns about intercepted data.
- Economic and adoption barriers. Outages increase EV ownership costs by causing wasted time, higher charging fees, or vehicle downtime. This could slow EV adoption, as frustrated car owners question EV reliability, impacting sales and the broader shift to electric mobility.
Conclusion
The good news is that effective mitigations to these vulnerabilities exist, and many begin with a simple inspection of deployed devices. Checking the PIB in Qualcomm QCA7000/7005 modems and ensuring the security byte at offset 0x1F8C is set to 1 can block remote read/write operations over the PLC network. This single configuration change can prevent PIBuster-style attacks.
Protocol-level redesigns, such as improved cable shielding and frequency adjustments, should also be considered to reduce signal leakage. Regular firmware audits are equally important to address present issues.
Beyond the mitigations for already known vulnerabilities, the industry must also prepare for zero-day threats. In the latest edition of Pwn2Own Automotive, researchers demonstrated how exploit chains can both extend to and originate from EV charging devices. In such scenarios, charger-level vulnerabilities will no longer be the attacker’s end goal. They will become stepping stones to compromise vehicles, backend systems and the broader mobility ecosystem.
By acting on both known and emerging vulnerabilities, the industry stakeholders can strengthen the EV charging ecosystem, a critical foundation for securing the next generation of connected vehicles.
